Use Privacy Access Tokens, CAPTCHA, and Rack to rate limit sign ins and sign ups

[mercedesb]

Resolves #3518

What was the end-user or developer problem that led to this PR?

Please see #3518

Rubygems.org wants to reduce (and prevent if possible) bot activity around signup and login. Captchas are a common way to reduce activity, but can also be annoying and repetitive. We’d like to use Privacy Pass to get the same security with a smoother user experience then Captcha, although it doesn’t completely replace Captchas.

What is your fix for the problem, implemented in this PR?

Following the product design in the linked issue, I've implemented privacy pass token challenges and redemption, hcaptcha verification, and stricter rate limiting around sign in and sign up.

To test

Privacy pass is currently supported on iOS and MacOS Ventura. I tested this with Safari in MacOS Ventura 13.2.1 (it doesn't work in any non-Apple browser yet as far as I can tell).

Deployment next steps

Once we hear back from Fastly about getting added to their beta issuer we can take the following steps

1. Uncomment the PRIVACY_PASS_ISSUER_PUBLIC_KEY and PRIVACY_PASS_ISSUER_NAME vars from config/deploy/unicorn.yaml.erb
2. Add the var values to config/deploy/staging/secrets.ejson and config/deploy/production/secrets.ejson

Other helpful info

Apple has the best info currently about how to set up your web server to serve privacy pass challenges and redeem privacy pass tokens.

The various docs around the IETF RFC are also helpful

• https://www.ietf.org/archive/id/draft-ietf-privacypass-auth-scheme-08.html#name-token-challenge
• https://www.ietf.org/archive/id/draft-ietf-privacypass-architecture-03.html#name-redemption-protocol
• https://www.ietf.org/archive/id/draft-ietf-privacypass-protocol-04.html#section-6.3

hcaptcha was straightforward to get set up and working. Their docs are pretty good.

Make sure the following tasks are checked

• Describe the problem / feature
• Write tests for features and bug fixes
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

[codecov]

Codecov Report

Merging #3519 (2619a61) into master (ebf32fe) will decrease coverage by 0.05%.
The diff coverage is 97.81%.

@@            Coverage Diff             @@
##           master    #3519      +/-   ##
==========================================
- Coverage   98.69%   98.65%   -0.05%     
==========================================
  Files         198      204       +6     
  Lines        4902     5120     +218     
==========================================
+ Hits         4838     5051     +213     
- Misses         64       69       +5     

Impacted Files	Coverage Δ
lib/hcaptcha_verifier.rb	90.00% <90.00%> (ø)
app/controllers/users_controller.rb	97.50% <96.87%> (-2.50%)	⬇️
app/controllers/concerns/captcha_verifiable.rb	100.00% <100.00%> (ø)
...p/controllers/concerns/privacy_pass_supportable.rb	100.00% <100.00%> (ø)
app/controllers/sessions_controller.rb	100.00% <100.00%> (ø)
app/helpers/hcaptcha_helper.rb	100.00% <100.00%> (ø)
lib/privacy_pass_redeemer.rb	100.00% <100.00%> (ø)
lib/privacy_pass_tokenizer.rb	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[segiddins]

is resource only: [] any different from using namespace ?

[mercedesb]

Good question, I was following the pattern that currently exists in routes for session and I think in this case it makes more sense. /user isn't a namespace but a singular resource. Namespacing it would mean that by convention we would expect the controller to exist within a user module.

From the Rails docs

2.5 Singular Resources
Sometimes, you have a resource that clients always look up without referencing an ID. ..
2.6 Controller Namespaces and Routing
You may wish to organize groups of controllers under a namespace. Most commonly, you might group a number of administrative controllers under an Admin:: namespace, and place these controllers under the app/controllers/admin directory. You can route to such a group by using a namespace block:

[segiddins]

should this be 2 since it's a uint16_t as opposed to a uint8?

[mercedesb]

No, because we're checking the length of unpacked data and we're unpacking this via the uint16 directive (n)

[indirect]

Fastly says we are in their beta access group now, and they are targeting end of Q2 for the beta issuer. In the meantime, I would be okay to ship this with just captchas now, and add privacy pass support once there's a production issuer. (Fastly says the demo issuer that we built this to work with is not for production use, so we shouldn't ship anything that depends on that.)

[mercedesb]

In the meantime, I would be okay to ship this with just captchas now, and add privacy pass support once there's a production issuer.

Based on @indirect's most recent feedback, I went ahead and feature flagged the privacy pass implementation using LaunchDarkly (someone with access to that will need to configure the variation)

[segiddins]

nit: let's call the flag "gemcutter.privacy_pass.enabled". should we use the current controller & action as the key, so we can test by only turning it on for a single action, rather than every action?

[mercedesb]

I updated the name.

I think using the current controller would be good. My only concern about using the action is that for every place we want it (sign up or sign in) we actually need it enabled in 2 actions. The new action presents the challenge and the create action handles redeeming the token.

[segiddins]

fair enough! I just think we'll need a kind on the LDContext of say controller so it doesn't look like a user

[simi]

Can you move HCAPTCHA_SITE_KEY to be ingested in config/secrets.yml from ENV (and specify this default for dev/testing environment if useful), introduce helper like hcaptcha_site_key to read secrets and use it in templates?

[simi]

RestClient was replaced by Faraday recently at #3602

[simi]

Per my local testing, captcha is also created when trying to login with unknown email, that means @user is nil in here and it crashes.

[simi]

The same seems applied when using wrong password for existing account. find_user returns nil -> @user is nil.

[simi]

I did some testing and left some initial comments. Regarding ENV values, please move them into config/secrets.yml (could be ingested from ENV still) or to config/rubygems.yml for fixed values.

Here's a screenshot from testing of captcha. The red text is just notice of using testing environment. It looks good to me.

[mercedesb]

• put hcpatcha vals into secrets with testing creds as dev defaults
• replaced RestClient with Faraday
• fixed bug when user not found on login but captcha conditions met

[mercedesb]

I got an email from GitGuardian about an exposed generic password. But I think that's ok b/c Hcaptcha publicly publishes this site key and secret for development testing

[simi]

Would it make sense to move this also to rubygems.yml/secrets.yml?

[mercedesb]

I can. It's not really a secret but no harm in adding it there.

[simi]

I found out this a little hard to read during testing. Would it be possible to keep the condition "positive"?

return session[:redeemed_privacy_pass] if session.key?(:redeemed_privacy_pass)

[simi]

@mercedesb any more hints for local Privacy pass testing? I tried with Privacy pass extension, but I couldn't get it to work 🤔.

[mercedesb]

any more hints for local Privacy pass testing? I tried with Privacy pass extension, but I couldn't get it to work

1. We're using the Fastly issuer and Fastly does not work with the Privacy Pass extension. That extension is a Cloudflare product.
2. I never had much luck testing with the extension anywhere on the web and neither did a colleague of mine. They have a lot of open issues in their client repo with people having similar trouble and I don't have a lot of confidence in how well-supported the extension is.

Privacy Pass is currently supported natively only in iOS 16+, iPad 16+, macOS Ventura (13+). Through my testing, I had to use the Safari browser. But if you're running a supported OS with Safari, that should be all you need for testing.

If things are working as expected, you won't see the 401 response with the token challenge in the browser's dev tools' Network tab. You'll see a 200 with an Authorization header from the client which means the challenge was handled successfully. But you can step through the code to see the entire flow.

[simi]

That extension supports also hCaptcha and seems active on hCaptcha rubygems.org page, but I couldn't get it to work as well. I don't have any Apple product around to test this.

[mercedesb]

That extension supports also hCaptcha and seems active on hCaptcha rubygems.org page

hcaptcha is a different issuer and won't work with Fastly tokens. We are using the Fastly issuer.

I don't have any Apple product around to test this.

That's a bummer. Given that Apple seems to be the only native support for PATs at the moment, I do think it important that it's tested there.

[simi]

If I understand it well, this is tricky to test. valid? is called few lines before, but this save can still fail. In theory codecov could be fixed by using save! and rescue_from, but I'm not sure if that's worth it. 🤔

[simi]

That's a bummer. Given that Apple seems to be the only native support for PATs at the moment, I do think it important that it's tested there.

We can ask someone for help with testing on staging.

Other than that part I can't test, this looks good to me. 💪

[simi]

nitpick: I'm personally not big fan of call methods if not used as a proc. Would it make sense to rename this to something like verified?. Similar change could be done in PrivacyPassRedeemer.

[simi]

Is this codecov complain related to stubs being used in tests instead of using test adapter? 🤔

https://lostisland.github.io/faraday/adapters/testing